Digital Forensics Quiz 3

Chapters 8 (Windows Forensics) & 13 (Network Forensics)

_______ is the Windows program that handles security and logon policies.

Lsass.exe

__________ is a storage controller device driver in Windows.

Ntbootdd.sys

__________ is a Windows file that is an interface for hardware.

Hal.dll

A __________is a software program that appears to be a physical computer and executes programs as if it were a physical computer.

virtual machine

A hacker installed an application on a computer to recover deleted files, and then uninstalled the application to hide her tracks. Where would a forensic examiner most likely find evidence that the application was once installed?

HKLM\SOFTWARE

A suspect has erased their browsing history on their computer. The computer has Microsoft Internet Explorer installed. The forensic investigator must retrieve recently visited web addresses and recently opened files. What should the investigator do?

Download a tool that allows for retrieval and review of the index.dat file.

As applications are processing commands and data on a machine, they are in a constant state of change. This creates a problem when attempting to perform live system forensics in which data is not acquired at a unified moment. The collected data may have problems with which of the following?

Data consistency

Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives, he sees that the computer is running Windows and has open applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?

Volatile memory analysis

Marty is investigating the computer of a cyberstalking suspect. He wanted to check the suspect's browsing history in Microsoft Internet Explorer, but it had already been erased. Where else can he look on the computer for browsing history information?

The index.dat file

On a Windows-based machine, which file is considered the core of the operating system?

ntoskrnl.exe

Someone has attempted to gain unauthorized access to data files on Robert's machine. He would like to investigate if any forensic evidence has been left behind. Of the following, where should Robert start his search?

Event Viewer Security log

Steven is a forensic examiner. He is interested in examining the pictures across all user profiles to look for evidence of malicious activity. Where should he begin his search for these files?

C:\Users

The _________ file is responsible for managing services on a Windows computer.

Smss.exe

The Windows __________ log contains successful and unsuccessful logon events.

Security

The Windows Registry is organized into five sections referred to as __________, each of which contains specific information.

hives

The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user.

HKEY_LOCAL_MACHINE (HKLM)

The Windows Registry is organized into five sections. The __________ section is critical to forensic investigations. It has profiles for all the users, including their settings.

HKEY_USERS (HKU)

What is the best definition of "dump" in terms of computer memory?

A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper

What is the definition of "stack (S)"?

Memory that is allocated based on the last-in, first-out (LIFO) principle

What is the repository of all information on a Windows system?

The Windows Registry

What is the Windows swap file used to augment?

Random access memory (RAM)

You boot up a machine to start a forensic investigation. You get a message on screen indicating that the "Master Boot Record Cannot Be Found." What step of the boot process has failed?

The computer has failed to read the master boot record (MBR).

True or False? During the boot process of a Windows computer, the NTLDR must begin loading file system drivers before the master boot record (MBR) can pass control to the boot sector on the boot partition.

False

True or False? In Windows 10, the Recycle Bin is located in a hidden directory.

True

True or False? In Windows, file permissions never change when moving a file.

False

True or False? In Windows, the System Resource Usage Monitor (SRUM) database collects data on executables.

True

True or False? In Windows, the term "64-bit processing" refers to how the central processing unit and the operating system process information.

True

True or False? In Windows, when copying or cutting a file to a different partition, the file will retain the rights of the source folder.

False

True or False? Many versions of Microsoft Word store a string in the Windows Registry that is the MAC address of the machine on which the document was created.

True

True or False? On a Windows system, some viruses infect the boot sector and are loaded when the system loads.

True

True or False? Regarding the Windows boot process, the term "power-on self-test (POST)" refers to a brief hardware test that the basic input/output system (BIOS) performs upon boot-up.

True

True or False? Some malware on Windows computers can modify the Windows Registry.

True

True or False? The netstat utility enables a forensic examiner to check live system data.

True

True or False? The passphrase needed to connect to a Wi-Fi network on a Windows computer is stored in the Windows Registry.

True

True or False? The Windows Security log contains events logged by Windows system components.

False

True or False? The Windows ShellBag tracks compatibility issues with executed programs.

False

True or False? The Windows swap file is also referred to as virtual memory.

True

True or False? Volume Shadow Copy (VSS) is a Windows service related to backups.

True

True or False? When a Windows computer connects to a wireless network, the service set identifier (SSID) is logged as a preferred network connection and can be found in the Windows Registry.

True

True or False? When dumping memory on a Windows computer, the forensic examiner may have to work with two types of memory: heap (H) and stack (S).

True

True or False? When performing volatile data analysis, you must compute the hash before and after completing the memory capture.

False

True or False? Windows Registry keys contain an associated value called LastWriteTime, which is similar to the datestamp on a file or folder.

False

A port is a number that identifies a channel in which communication can occur. Which port does HTTPS (Hypertext Transfer Protocol Secure) use for secure web browser display?

Port 443

A port is a number that identifies a channel in which communication can occur. Which port does SSH (Secure Shell) use to remotely and securely log on to a system?

Port 22

A port is a number that identifies a channel in which communication can occur. Which port is used by the Internet Message Access Protocol (IMAP) email service?

Port 220

All of the following are true of Internet Protocol (IP) addresses, except:

subnetting is the process of redistributing a network into larger portions.

Because a ________ operates based on the Media Access Control (MAC) address in a packet and that is not routable, it cannot send data to _________ or across a WAN.

switch, the internet

Data that is sent across a network is divided into chunks called:

packets.

Hajar is a forensic examiner. She suspects that hackers have infiltrated a network through a Cisco router, so she wants to perform forensics on the router. She uses the HyperTerminal tool to connect to the router safely, which is live and running. Which command should she enter to display the routing table?

show ip route

In which denial of service (DoS) attack does the attacker send fragments of packets with bad values in them, causing the target system to crash when it tries to reassemble the fragments?

Teardrop attack

Jack is a forensic specialist. He wants to examine a network router for potential evidence in a case. What is the first step he should take to safely examine the router?

Connect to the router over the network.

On a network, a __________ prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. It remembers the address of every node on the network and anticipates where data needs to go.

switch

Packets are divided into three sections:

header, payload, and footer.

Sniffers are used to collect digital evidence. Which software package allows the user to map out what ports are open on a target system and what services are running?

Nmap

The 802.11 (Wi-Fi) and Ethernet protocols run at which layer of the Open Systems Interconnection (OSI) model?

Physical (Layer 1)

The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit indicates that there is no more data from the sender.

FIN

The Transmission Control Protocol (TCP) header has synchronization bits that are used to establish and terminate communications across a network between two communicating parties. The __________ bit synchronizes sequence numbers.

SYN

Which denial of service (DoS) attack generates a large number of ICMP echo requests from a single request, acting like an amplifier and causing a traffic jam in the target network?

Smurf attack

Which denial of service (DoS) attack sends a tremendous number of ICMP packets to the target, hoping to overwhelm it?

Ping flood

Which layer of the Open Systems Interconnection (OSI) model provides end-to-end communication control?

Transport (Layer 4)

Which wireless standard is referred to as "White-Fi" and "Super Wi-Fi"?

IEEE 802.11af

Which wireless standard obtains a bandwidth of up to 600 mbps with the use of four spatial streams at a channel width of 40 MHz? It also uses multiple-input multiple-output (MIMO), which resolves more information than is possible using a single antenna.

802.11n-2009

True or False? 192.168.0.0 to 192.168.255.255 is a private Internet Protocol (IP) address range.

True

True or False? A device's log files contain the primary records of a person's activities on a system or network.

True

True or False? A normal network conversation starts with one side sending a packet with the SYN bit turned on.

True

True or False? A packet being transferred across a network can have several headers added by different protocols at different layers of the Open Systems Interconnection (OSI) model.

True

True or False? A packet mistreating attack is a type of denial of service (DoS) attack.

True

True or False? A sniffer is computer software or hardware that can intercept and log traffic passing over a digital network.

True

True or False? Domain Name Service (DNS) uses port 53 to translate URLs into web addresses.

True

True or False? In a classic port scan, a hacker sends an Internet Control Message Protocol (ICMP) packet to each port in order to see if it responds.

True

True or False? In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her Internet Protocol (IP) address somewhere in the mix.

True

True or False? In a ping flood attack, the attacker sends fragments of packets with bad values in them, which causes the target system to crash when it tries to reassemble the fragments.

False

True or False? In a router table poisoning attack, the attacker alters the routing data update packets that the routing protocols need, resulting in incorrect entries in the routing table.

True

True or False? In a Smurf attack, the attacker sends a fake TCP SYN packet with the same source and destination Internet Protocol (IP) addresses and ports as the target computer.

False

True or False? Intrusion detection systems record events that match known attack signatures, such as buffer overflows or malicious code execution.

True

True or False? Once a computer boots and connects to a network, Ethernet assigns a private Internet Protocol (IP) address to the computer.

False

True or False? Routers maintain a routing table to keep track of routes, or which connections are to be used for different networks.

True

True or False? Stateful packet inspection is the most basic type of firewall.

False

True or False? The Internet Protocol (IP) address of 127.0.0.1 designates the machine you are on, regardless of that machine's assigned IP address.

True

True or False? The Internet Protocol (IP) header contains the source port, destination port, a sequence number, and several other fields.

False

True or False? The TCP (OSI Layer 4) and IP (OSI Layer 3) portions of a unit of information transfer across a network only contain a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, in addition to a header and payload, there is a part at the end called the octet.

False

True or False? Wireshark is a type of router forensic tool.

False

Boot Process

1. BIOS (firmware: a small program stored on a chip on the motherboard that runs

   before your operating system)

   1. POST (power-on-self-test) → Checks if hardware (RAM, CPU, keyboard, disks, etc.) is working properly

   2. Read MBR (master boot record) → Loading and executing the first sector of the disk (boot code and partition information necessary to start the OS)

2. Boot Loader (responsible for starting the OS)

   1. Loads NTLDR/ BOOTMGR → NT Loader

   2. Switches to 32- or 64-bit → CPU mode switch done by NTLDR, Starts with 16-bit real mode

3. Boot Files

   1. Min. drivers → minimal drivers loaded to access disk, file system, and input devices during boot

   2. boot.ini → Boot Configuration File (which OS to load and from where)

   3. NTOSKRNL → kernel that handles process management, memory, security, and hardware abstraction

   4. hal.dll → Hardware Abstraction Layer (interface between the Windows kernel and the physical hardware)

   5. Windows Registry → central configuration database for Windows

4. Kernel Loading

5. Win32 Subsystem starts

NtDetect.com

detects basic hardware devices before the OS loads, e.g., keyboard, mouse, system clock, hard drives etc.

Explorer.exe

windows shell (provides the desktop, taskbar, and file explorer interface after successful logon)

Crss.exe

console management, thread & process creation and termination etc.

File System (MFT)

• The MFT is the heart of NTFS — a special file that acts as an index for every

  file and folder on the volume, including system files 

• Each entry (~1 KB) describes one file or directory

• Key forensic contents: File name and path, timestamps, content location,

  deleted file records (marked inactive but recoverable)

• Why it matters: Investigators can recover deleted filenames,

  creation/modification times, and even partial content remnants — critical for

  establishing a timeline of activity or detecting file tampering

File System ($LogFile)

• A transactional log that records file system changes before they are committed to disk

• Tracks metadata updates like file creation, rename, move, and delete events

• Helps reconstruct recent file system activity, even if a file has been deleted or overwritten

• Can reveal timestamps more recent than the MFT (since it logs pending transactions)

File System ($Bitmap)

• A bitmap file used by NTFS to track used and unused clusters on the volume.

• Indicates which disk clusters are currently allocated.

• By correlating with MFT records, investigators can locate unallocated/deleted data clusters.

• Useful for carving deleted files that no longer have MFT entries but still occupy disk sectors.

File System ($Recycle.Bin)

• Directory used by Windows to store deleted files before permanent removal

• Reveals who deleted what and when

• $I files store: Original filename and path, Date/time of deletion, File size

• Even if files are emptied from the Recycle Bin, $I metadata may persist and can be recovered.

Registry

• The Windows Registry is a hierarchical database that stores system and user configuration information.

• It controls how Windows boots, which programs run, what hardware is installed, and user-specific settings.

• Every action a user takes—installing software, connecting a device, opening files—often leaves traces here

Registry (Structure)

• Hives → Keys → Subkeys → Values

• Hive is the top-level database file in the registry (analogy: like a drive (C:, D:))

• Keys are like directories or folders inside each hive (Each key can contain:

• other keys (called subkeys)), one or more values

• Subkeys are keys within keys — like subfolders/ subdirectories

• Values are the data items stored under a key or subkey — like files inside folders.

• EX: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru

  n → Hive\Key\Subkey\Value

SAM (Security Account Manager)

• Location: C:\Windows\System32\config\SAM

• Purpose: Stores user account information and password hashes

• Forensic Value:

  • Lists local user accounts, groups, and last logon timestamps

  • Investigators can extract password hashes

  • Crucial for logon analyses and detecting unauthorized users

• Example Evidence: User John last logged in at 2025-9-23 08:42:16 UTC

SYSTEM

• Location: C:\Windows\System32\config\SYSTEM

• Purpose: Stores system-wide configuration and hardware information

• Forensic Value:

  • Identify connected USB devices

  • Determine Windows startup entries, time zone, and network setup

  • Reconstruct system startup and shutdown times

• Example Evidence: A SanDisk USB drive (Serial: 001CC0A0) was last connected on 2025-9-18 at 21:15:33.

SOFTWARE

• Location: C:\Windows\System32\config\SOFTWARE

• Purpose: Contains settings for installed applications and system components

• Forensic Value:

  • Lists installed programs, version info, and install/uninstall times

  • Tracks recently opened files, last run programs, and autostart entries

  • Helps attribute software use to a user, proving intent or activity

• Example Evidence: Malware ‘CryptoLocker.exe’ was registered under the Run key to launch automatically at startup

NTUSER.DAT

• Location: C:\Users\<username>\NTUSER.DAT

• Purpose: User-specific registry hive loaded when the user logs on

• Forensic Value:

  • Contains user activity traces, including:

    • Recent file open history (RecentDocs)

    • Typed URLs (TypedURLs)

    • Search queries (WordWheelQuery)

    • Run commands (RunMRU)

  • Excellent for timeline reconstruction and user profiling

• Example Evidence: User John opened resume.docx and searched for ‘VPN logs’ on 2025-9-21

USB info

• Records details about connected USB devices

• Forensic Use: Identifies specific USB drives, their serial numbers, and when they were last plugged in

Wireless Networks

• Stores SSIDs (Service Set Identifier), connection dates, and security settings for Wi-Fi networks

• Forensic Use: Tracks which networks a system connected to and when

• Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Tracking Documents

• Tracks recently opened or saved documents from File Explorer and dialog boxes

• Forensic Use: Shows what files the user accessed or modified recently

• Example: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Malware

• Malicious software often modifies registry keys or creates autorun entries

• Forensic Use: Detects malware in specific location

• Example: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run